Re: Windows Messenger Pop-up spam

["Kevin Davis" <kevin.davis () mindless com>]

> > Disabling unneeded services is not an adequate protection from
> > malware.
>
> It is an adequate protection from malware that tries to attack services.

Which is a subset of all malware.  Probably a small subset.  The goal is to 
protect from all malware.

> > There are tons of malware - in fact probably the majority that set up
> > their own "server" once it infects the target system.
>
> If malware is already running on the system, the box is 0wned and
> schould be rebuilt.

Of course some type of cleaning is required if malware gets on the box. 
Making a blanket statement that the box needs to be totally rebuilt at the 
slightest infection of spyware is extreme - at least for the home user.  The 
point of the discussion was what is effective in repelling malware attacks 
and vulnerable conditions.  You suggest that turning off all services and 
keeping your system patched is all that is needed.  That's really quite 
ridiculous considering the various types of attack vectors that are being 
used - malware can get on your system in the form of BHO in your browser. 
Malware can get on your system by opening email.  Malware can get on your 
system using IM, IRC, or unknowlingly downloading some cool program and it 
being a trojan.  You can patch and turn off all the services you want and 
this won't keep the malware away - for the typical user.

And doing what you suggest will most likely set up the condition that when 
such malware gets on the box, the user will literally have almost no chance 
of finding out.  At least with a firewall and AV software, there's a decent 
chance that it will be discovered.

> > That's where personal firewalls help.
>
> No.

Yes.

> > A new, unknown process is trying to get out to the net - the firewall
> > will catch this and alert the user.
>
> The firewall may possibly catch this and alert the user. Or the malware
> may simply sneak around the firewall. Or disable it. You can't rely on
> PFWs to control outbound traffic.

You never rely on anything 100%.  It is possible that the malware will do as 
you say.  But with your advice, it won't have to sneak around anything and 
will have a low probability of being discovered.

> > 2. Get your systems behind a firewall (a personal firewall if a home
> > user).
>
> Firewall on a router: very well. Personal Firewall: most likely not.
> Yes, there are some exceptions, but their number is few.
>
> > 3.  Get your system behind a router.
>
> Local networks of any kind: of course. A single home computer: maybe,
> but not a must.
>
> > 4.  Harden system by turning off uneeded services.
>
> That would be my second step. No services -> nothing to exploit. I would
> consider using a Personal Firewall *only* if for some reason a service
> can't be disabled or bound to a specific interface.

Again, you can't always turn off all services.  Probably not even most of 
the time.

> > 5.  Employ the use of virus and spyware scanners\blockers
>
> Virus scanners may be useful.

Why would you think so?  You seem to be claiming that using your method 
would grant you immunity from such things.

> However, one should be aware of their
> limitations, since each virus scanner is just as good or bad as its
> virus definitions.

That goes without saying.

> As for spyware scanners/blockers: I usually prefer to
> not install spyware in the first place. Avoiding IE/OE helps. Much.

People also generally prefer not to install viruses.  It would be nice if 
there was always a dialog popping up asking you if you wanted to install 
this virus or malware.  You have to be realistic.  You need to think in 
terms of users who aren't as savvy as you.  You are putting absolutley no 
outbound checks in place.  Of course avoiding IE and such helps, but that's 
a personal choice.  In general practice, until the alternatives to OE\IE 
become the dominant players, people are going to use IE and OE.  You can 
attempt to get people to use other things but don't count on it.  Even if 
they do, having no outbound checks is really quite weak security.  Even if 
there's only a 50% chance that something gets caught, it's worth it.

> > The small, inexpensive SOHO routers only block inbound traffic. If a
> > user gets some malware on their system, this helps them not.
>
> Neither does a PFW. Once malware is running on your system, you're
> toast. Period. Even Microsoft finally did understand that [1].

What is better - having an owned box and knowing it or having an owned box 
and having no clue?

And no, you're not toast if *any* malware is running on your box.  In some 
(maybe many) cases, that may be true, but if I get a trivial spyware program 
installed, that does not require me to trash the box.  In a corporate 
setting where there are canned images and plentiful network data storage to 
mitigate potential loss, that may be the most expedient solutions.  Not 
necessarily the case at home.

> > > If there's no LAN but just a single host with Internet connection,
> > > then why does the box need to provide any services at all? IMnsHO.
> >
> > You can't make a blanket statement like this for all cases.  In some
> > cases this would be true, in others not.
> >
> > Lets take the Messenger service, for instance.  Some people should
> > *not* turn off the Messenger service.  Why?  Maybe they are running
> > one of the several virus scanning products that use the Messenger
> > service to alert the user of a virus problem.
>
> Any AV software that uses the messenger service for notifying the
> (local) user should be trashed *immediately*, because of major
> incompetence of the vendor.

I agree but that approach doesn't always leave one with many choices. 
That's just one example.  There are tons of software packages that install 
their own services - many of which are network related services.  For 
instance, most AV software installs an automatic updating service.  Sure you 
can turn it off, but the typical user will never remember to update their AV 
signatures.  Which is worse - having that service running or having it 
turned off and AV software with 2 year old signatures?

> I still fail to see *any* good reason why a single computer (no LAN)
> should *not* have all services disabled.


Do an experiment.  Take a box and install Windows XP on it and disable ALL 
of the services.  Use the box for a few months as your primary box for doing 
everything including getting on the net.